Bastille templates are very useful for automating configurations of devices, whether they are jails, physical devices or virtual machines . In this article, we will see how to perform a base configuration using this system.
The first step is to create the git repository, in my case, it is a repository on a locally hosted GitOlite .
Clone the repository on our local PC:
Create the directories and files that Bastillefile needs to perform the configuration:
cd bastille-basicconfiguration
mkdir -p home/kr0m/.ssh/
vi home/kr0m/.ssh/authorized_keys
vi home/kr0m/.bashrc
vi home/kr0m/.bash_profile
vi home/kr0m/.vimrc
mkdir -p root/.scripts
vi root/.bashrc
vi root/.bash_profile
vi root/.vimrc
vi root/.scripts/securityCheck.sh
vi root/.scripts/sshKeys.py
vi root/.scripts/sshAccess.py
mkdir -p usr/local/etc/rc.d
vi usr/local/etc/rc.d/sshAccess
mkdir -p var/cron/tabs/
vi var/cron/tabs/root
The final directory/file structure will be as follows:
├── Bastillefile
├── home
│ └── kr0m
│ ├── .bash_profile
│ ├── .bashrc
│ ├── .ssh
│ │ └── authorized_keys
│ └── .vimrc
├── root
│ ├── .bash_profile
│ ├── .bashrc
│ ├── .scripts
│ │ ├── securityCheck.sh
│ │ ├── sshAccess.py
│ │ └── sshKeys.py
│ └── .vimrc
├── usr
│ └── local
│ └── etc
│ └── rc.d
│ └── sshAccess
└── var
└── cron
└── tabs
└── root
Define in the Bastillefile the actions to be performed on the jail, software installation, file modification, user addition, file copying, and service startup:
CMD ASSUME_ALWAYS_YES=yes pkg upgrade
PKG vim bash bash-completion curl bat py39-pip rsync python
CMD pip install --upgrade pip
CMD pip install requests
CMD bash -c 'sed -i "" "s/127.0.0.1\t\tlocalhost localhost.my.domain/127.0.0.1\t\t$HOSTNAME $HOSTNAME.alfaexploit.com localhost localhost.my.domain/g" /etc/hosts'
CMD bash -c 'id kr0m 1>2&>/dev/null;if [ $? -eq 0 ];then echo "KR0M-PASSWORD" | pw usermod -n kr0m -s /usr/local/bin/bash -h 0;else echo "KR0M-PASSWORD" | pw useradd -n kr0m -m -G wheel -s /usr/local/bin/bash -h 0;fi'
CMD echo "ROOT-PASSWORD" | pw usermod -n root -s /usr/local/bin/bash -h 0
CP home usr
CMD chmod 700 /usr/home/kr0m/.ssh
CMD chown -R kr0m:kr0m /usr/home/kr0m
CP root /
CMD chmod 700 /root/.scripts/sshKeys.py
CMD chmod 700 /root/.scripts/securityCheck.sh
CMD chmod 700 /root/.scripts/sshAccess.py
CP usr /
CMD chmod 555 /usr/local/etc/rc.d/sshAccess
CMD chown root:wheel /usr/local/etc/rc.d/sshAccess
CP var /
CMD chmod 600 /var/cron/tabs/root
SYSRC sshAccess_enable=YES
SERVICE sshAccess start
SYSRC sshd_enable=YES
SERVICE sshd start
NOTE: The CP command only adds content, so existing files are preserved by adding new ones.
We create the RO user for the GitOlite repository:
repo bastille-basicconfiguration
RW+ = kr0m
RO = mightymax
git commit -m "Added RO user to bastille-basicconfiguration repository configuration"
git push
We create a NameSpace and clone the repository inside:
cd /usr/local/bastille/templates/datadyne.alfaexploit.com
git clone gitolite@datadyne.alfaexploit.com :bastille-basicconfiguration.git
/usr/local/bastille/templates
/usr/local/bastille/templates/datadyne.alfaexploit.com
/usr/local/bastille/templates/datadyne.alfaexploit.com/bastille-basicconfiguration
We create a test jail:
We apply the template: